Secure Your Website with Certbot & Let's Encrypt

Enable HTTPS: A comprehensive guide to installing Certbot and setting up free SSL certificates for Apache on Ubuntu.

Estimated Time: Approximately 30 - 45 minutes

Overview: Why HTTPS and Certbot?

In today's digital landscape, securing your website with HTTPS (Hypertext Transfer Protocol Secure) is no longer optional—it's essential. HTTPS encrypts communication between your server and users' browsers, protecting sensitive data, improving user trust, and boosting your search engine rankings.

Let's Encrypt is a free, automated, and open Certificate Authority (CA) that provides trusted SSL/TLS certificates. Certbot is a free software tool, maintained by the Electronic Frontier Foundation (EFF), that automates the process of obtaining and renewing these certificates.

This guide will walk you through installing Certbot and configuring Apache on your Ubuntu server to use Let's Encrypt SSL certificates, ensuring your website is secure and trustworthy.

Estimated Time

30 - 45 minutes

Experience Level

Beginner to Intermediate

Assumes familiarity with terminal commands and a basic understanding of web servers and domain names.

System Requirements & Prerequisites

Server: An Ubuntu 22.04 LTS or 20.04 LTS server.
LAMP Stack: A functional LAMP (Linux, Apache, MySQL, PHP) stack already installed, as detailed in our previous guide.
Domain Name: A registered domain name (e.g., `yourdomain.com`) that you control.
DNS Configuration: Your domain's A records (e.g., `yourdomain.com` and `www.yourdomain.com`) must be pointed to your server's public IP address.
Firewall (UFW): UFW must be configured to allow HTTP (port 80) and HTTPS (port 443) traffic. If you followed our LAMP guide, you should have `Apache Full` enabled.
Sudo Privileges: Access to a terminal as a non-root user with sudo privileges.

Step-by-Step Instructions

Step 1: Perform Initial System Update

Before installing new software, always ensure your system's package list is up-to-date.

sudo apt update && sudo apt upgrade -y

If a kernel update occurs, a server reboot might be required. You can check if a reboot is pending with `ls /var/run/reboot-required`.

Step 2: Verify Firewall Configuration

Certbot needs to communicate with Let's Encrypt servers over HTTP/HTTPS to verify your domain. Ensure your firewall (UFW) is correctly configured to allow this traffic.

sudo ufw status

You should see rules allowing `Apache`, `Apache Full`, or explicit `80/tcp` and `443/tcp`. If only `Apache` (port 80) is allowed, Certbot will enable `Apache Full` for you. If you need to adjust, use:
`sudo ufw allow 'Apache Full'`
`sudo ufw reload`

Step 3: Configure Apache Virtual Host for Your Domain

For Certbot's Apache plugin to work effectively and cleanly, you should have an Apache Virtual Host file configured for your domain, including the `ServerName` and `ServerAlias` directives.

Important: Replace `yourdomain.com` and `www.yourdomain.com` with your actual domain names throughout this step.

Create a new virtual host file: (If you were previously using `/var/www/html` with the default `000-default.conf`, this is a good time to create a dedicated file.)

sudo nano /etc/apache2/sites-available/yourdomain.com.conf

Paste the following basic HTTP virtual host configuration. This tells Apache how to serve your site on port 80. You can point `DocumentRoot` to `/var/www/html` or a new directory like `/var/www/yourdomain.com`.

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName yourdomain.com
    ServerAlias www.yourdomain.com
    DocumentRoot /var/www/html  # Or /var/www/yourdomain.com if you created it

    ErrorLog ${APACHE_LOG_DIR}/yourdomain.com-error.log
    CustomLog ${APACHE_LOG_DIR}/yourdomain.com-access.log combined

    <Directory /var/www/html> # Or /var/www/yourdomain.com
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
</VirtualHost>

Save and exit (`Ctrl+O`, `Enter`, `Ctrl+X`).

Enable the new virtual host and disable the default one (if applicable):

                                            sudo a2ensite yourdomain.com.conf

                                            sudo a2dissite 000-default.conf # Only if you're replacing the default site

If you used `/var/www/html` for the `DocumentRoot` in your new virtual host, disabling `000-default.conf` is usually necessary to avoid conflicts.

Test Apache configuration and reload:

                                            sudo apache2ctl configtest

                                            sudo systemctl reload apache2

You should see `Syntax OK` from `configtest`. Now, visit `http://yourdomain.com` in your browser. You should see your website content (or Apache's default page if `/var/www/html` is empty).

Step 4: Install Certbot

The recommended way to install Certbot on modern Ubuntu versions is via `snap`, which provides a self-contained and up-to-date version.

Ensure snapd is up to date:

                                            sudo snap install core

                                            sudo snap refresh core

Install Certbot:

sudo snap install --classic certbot

Create a symbolic link for easy access:

sudo ln -s /snap/bin/certbot /usr/bin/certbot

Certbot is now installed and ready to use.

Step 5: Enable Apache SSL Module

Certbot will configure Apache's `mod_ssl` to handle HTTPS traffic. Ensure this module is enabled.

sudo a2enmod ssl

Restart Apache for the module to take effect:

sudo systemctl restart apache2

If `mod_ssl` was already enabled, you'll see a message like `Module ssl already enabled`. This is fine.

Step 6: Obtain and Configure SSL Certificate with Certbot

Now, run Certbot with the Apache plugin. It will automatically detect your configured virtual hosts, obtain certificates, and modify your Apache configuration.

sudo certbot --apache

You will be prompted to provide some information:

Email Address: Enter an email for urgent renewal notices and security warnings.
Agree to Terms of Service: Read and accept the Let's Encrypt Subscriber Agreement.
Share Email: Choose whether to share your email with EFF (optional).
Domain Selection: Certbot will list the domains it found in your Apache configuration (e.g., `yourdomain.com`, `www.yourdomain.com`). Select the numbers corresponding to all domains you want to secure (e.g., `1 2` for both).
HTTPS Redirect: This is important.
- `1: No Redirect` (Serve both HTTP and HTTPS, not recommended).
- `2: Redirect` (Recommended) - All HTTP traffic will be automatically redirected to HTTPS.
Choose option `2` for a secure website.

If successful, Certbot will output a congratulatory message, including certificate expiration details.

Step 7: Verify SSL Installation

After Certbot completes, it's time to verify that your site is now serving over HTTPS.

1. Browser Check: Open your web browser and navigate to `https://yourdomain.com` (and `https://www.yourdomain.com`).

You should see a padlock icon in your browser's address bar, indicating a secure connection. Also, test `http://yourdomain.com` to ensure it redirects automatically to HTTPS.

2. Online SSL Checker: Use an online tool like SSL Labs SSL Server Test. Enter your domain name to get a detailed report on your SSL configuration and grade (aim for A or A+).

3. Command Line Check: For a quick check from your server:

sudo curl -vI https://yourdomain.com

Look for `HTTP/2 200` (or `HTTP/1.1 200 OK`) and details about the SSL certificate in the output.

Step 8: Verify Certbot Auto-Renewal

Let's Encrypt certificates are valid for 90 days. Certbot automatically sets up a systemd timer or cron job to renew them well before expiration, so you typically don't need to do anything manually.

Check the renewal timer status:

sudo systemctl status snap.certbot.renew.service

You should see `active (waiting)` indicating the timer is enabled and waiting for its next scheduled run.

Test the renewal process (dry run): This command simulates a renewal without actually changing your certificates.

sudo certbot renew --dry-run

If successful, the output will indicate that the dry run was successful for your domain(s). This confirms your auto-renewal setup is working.

Final Verification Checklist

Ensure all aspects of your HTTPS setup are functional:

Domain Resolves: Your domain (e.g., `yourdomain.com`, `www.yourdomain.com`) correctly resolves to your server's IP.
HTTP Redirects: Visiting `http://yourdomain.com` automatically redirects to `https://yourdomain.com`.
HTTPS Accessible: Your website is accessible at `https://yourdomain.com` with a valid padlock icon in the browser.
Certbot Auto-Renewal: The `certbot renew --dry-run` command completes successfully, confirming automatic renewals are configured.
UFW Allows HTTPS: `sudo ufw status` shows rules for port 443 (HTTPS) enabled.

Conclusion & Next Steps

Congratulations! Your website is now secured with free SSL/TLS certificates from Let's Encrypt, automatically managed by Certbot. This is a significant step forward in securing your web presence.

Here are some advanced steps and considerations for further security and optimization:

HSTS (HTTP Strict Transport Security): Consider adding an HSTS header to your site. This forces browsers to only connect via HTTPS, even if a user types `http://`. Certbot might add this, but verify.
Other Security Headers: Implement additional HTTP security headers (e.g., Content Security Policy, X-Frame-Options) to further protect your users.
Apache Hardening: Review your Apache configuration (`/etc/apache2/apache2.conf` and virtual host files) for best practices regarding security and performance.
Multiple Domains: If you need to secure multiple domains or subdomains, you can run `sudo certbot --apache` again and select the new domains, or specify them with `-d` flags (e.g., `sudo certbot --apache -d example.com -d sub.example.com`).
Wildcard Certificates: For securing all subdomains under a domain, you'd need a wildcard certificate. This typically requires DNS validation with Certbot (`sudo certbot certonly --dns-cloudflare -d '*.yourdomain.com' --expand`), which is more advanced.
Backup: Regularly back up your entire server, including `/etc/letsencrypt` and your Apache configuration files.

Need Expert Assistance with Server Security? Contact Us!